Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Craft Aid International Data Protection Policy....................................................................................................1
Definitions.....................................................................................................................................................2
1. Introduction..............................................................................................................................................3
2. Purpose of this Policy................................................................................................................................3
3. To Whom the Policy Applies.....................................................................................................................3
4. Policy........................................................................................................................................................3
5. GDPR Policy Principles..............................................................................................................................4
5.1 Data Collection & Usage....................................................................................................................5
5.2 Data Quality.......................................................................................................................................7
5.3 Individual’s rights................................................................................................................................8
5.4 Data Security, Storage and Destruction............................................................................................10
5.5 Staff data held by CAI........................................................................................................................12
5.6 External requests for data access.....................................................................................................13
6. General staff guidelines on working practices to support the policy and principles ..............................15
7. Responsibilities ......................................................................................................................................16
Appendix 1: Accountability and Governance...............................................................................................17
Appendix 2: Registration with ICO and Data Protection Fee........................................................................18
Document history:
Version Date Author Reviewer Summary of Changes Issue Date
0.1 15/05/18 E Waters S Hart First draft 18/05/18
4. Policy
This CAI Data Protection Policy:-
accepts that by the nature of its work, CAI processes data which is of a sensitive and personal nature
clarifies CAI’s expectations of Staff with regard to the processing of personal data, (personal data
means information that relates to a living individual who can be identified from the information: it
also includes expressions of opinion and intention)
gives specific details about the type of information that CAI keeps about its Staff and Stakeholders
and the purposes for which it keeps them
sets out the duration for which data is retained by CAI
sets out security measures which Staff must observe to protect data within CAI.
In developing this policy:-
1) In accordance with the GDPR, the Trustees will appoint a Data Protection Officer, a named individual
reporting to the Trustees with day-to-day responsibility for ensuring and demonstrating compliance
with the GDPR; see section 'Responsibilities' defining the specific responsibilities of the Trustees and
the Data Protection Officer.
2) CAI must perform and document a Data Protection Impact Assessment (DPIA), and periodically
thereafter, and whenever there is a change in CAI's activities, way of working, or technology usage.
GDPR Article 6 states processing shall be lawful only if and to the extent that at least one of the following
applies:
1. The data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party, or in
order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural
person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data
subject is a child.
CAI's Data Protection Policy is designed to comply with these 6 GDPR principles and the requirements of
lawful processing in the following 6 areas:
1. Data collection and usage
2. Data quality
3. Individuals’ rights
4. Data security, storage, destruction and retention
5. Staff data held by CAI
6. External requests for data access
These areas are covered in detail in the following pages.
The Privacy Notice should address the following to inform the data subject:
▪ who is collecting the data
▪ what data is being collected
▪ the legal basis for processing the data
▪ whether the data be shared with any third parties
▪ how the information be processed
▪ how long the data will be stored
▪ the rights of the data subject (see section 3 below: “Individual’s rights”)
▪ how the data subject can raise a complaint, and to whom (e.g. the Data Protection Officer)
▪ request consent to process the personal data, and requesting explicit consent for Sensitive
Personal Data (see next paragraph);
▪ if applicable, to allow the recipient to opt out of future marketing literature and
communications
The Police
If data is requested by the police, it must be confirmed that the reason for the request is that they
wish to contact a named individual about a named criminal investigation (regardless of whether that
individual is a suspect or witness) and that failure to release the data would prejudice the
investigation. Most police forces will have their own request form which should always include a
statement confirming that the information requested is used for the purposes covered in Section 29
of the DPA, a brief outline of the nature of the investigation, the person’s role in that investigation,
and the signature of the investigating officer. This document must be obtained prior to the release
of any information.
Court Order
CAI may receive a request for disclosure in the form of a Court Order.
Research purposes
Occasionally a company or a funder will wish to use CAI's data for research purposes. If Participants
and other members of staff have given consent for the use of their data for research purposes
through a Privacy Notice, usually data can be released. However, this is not always the case and
advice should be sought before data is actually released.
Sharing information
Data can only be shared with the individual’s consent. However, there are exceptional circumstances
where it may be necessary to share information without consent. Examples of these circumstances
are where it is not possible to obtain consent beforehand or because it might prejudice the purposes
for which the information is being disclosed.
Examples are as follows:
the individual is at risk of harm, needs urgent medical treatment, or may harm someone
else;
the disclosure prevents an individual committing a criminal offence that could put others
at risk or place a member of Staff or any other person at risk of accusations of collusion;
if CAI is ordered to provide information as part of legal proceedings;
to protect children, young people or vulnerable adults from abuse.
N.B. this is not an exhaustive list so if in doubt please contact the Data Protection Officer. CAI will
consider every request on a case by case basis.